e91056d140d4b1f647fa92d6ddab5c986c8eb54f738f8c84ce0de009ba901580

Resubmissions

21-07-2024 19:41

240721-yehdfs1epe 1

21-07-2024 19:41

240721-yd3m1a1ene 7

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

src/css/bootstrap.min.css
Size

151KB
MD5

bb84936d7c7700b31719a49340a42bd8
SHA1

51c552a6ad57d57bd134949c3d5312881f51a893
SHA256

0d4f6240127cf5d1cfda2caeb0283efb4c9c879e43031f102fa3fc09853ae1b2
SHA512

378d79842249749c7ed5405f50bb7e8be8a1bce9f8d95fe43a33a9a75513878099ef41f1e5b0e52abc966aa10a7d8ffc1183aefc2d8cbb26a5b89af22b52dbe5
SSDEEP

1536:4t64783RipVVsEBpy0cuJcf22WWp5CyVUpz600I4fM:4t64JyVUpz600I4fM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1464	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 1464	5048	cmd.exe	85
PID 5048 wrote to memory of 1464	5048	cmd.exe	85

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\src\css\bootstrap.min.css
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\src\css\bootstrap.min.css
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads